[system-administrators-guide/22] Misc corrections to OpenSSH

stephenw stephenw at fedoraproject.org
Tue Jun 9 20:21:41 UTC 2015 

commit 8f56b7ad3210e2aa299cad487b2073e4549c06cf
Author: Stephen Wadeley <swadeley at redhat.com>
Date:   Thu Jun 4 00:42:18 2015 +0200

    Misc corrections to OpenSSH

 en-US/OpenSSH.xml |   12 ++++++------
 1 files changed, 6 insertions(+), 6 deletions(-)
---
diff --git a/en-US/OpenSSH.xml b/en-US/OpenSSH.xml
index 8fdef69..518d641 100644
--- a/en-US/OpenSSH.xml
+++ b/en-US/OpenSSH.xml
@@ -7,10 +7,10 @@
     <primary>OpenSSH</primary>
   </indexterm>
   <para>
-    <systemitem class="protocol">SSH</systemitem> (Secure Shell) is a protocol which facilitates secure communications between two systems using a client-server architecture and allows users to log in to server host systems remotely. Unlike other remote communication protocols, such as <systemitem class="protocol">FTP</systemitem> or <systemitem class="protocol">Telnet</systemitem>, SSH encrypts the login session, rendering the connection difficult for intruders to collect unencrypted passwords.
+    <systemitem class="protocol">SSH</systemitem> (Secure Shell) is a protocol which facilitates secure communications between two systems using a client-server architecture and allows users to log into server host systems remotely. Unlike other remote communication protocols, such as <systemitem class="protocol">FTP</systemitem>, <systemitem class="protocol">Telnet</systemitem>, or <command>rlogin</command>, SSH encrypts the login session, rendering the connection difficult for intruders to collect unencrypted passwords.
   </para>
   <para>
-    The <application>ssh</application> program is designed to replace older, less secure terminal applications used to log in to remote hosts, such as <command>telnet</command> or <command>rsh</command>. A related program called <command>scp</command> replaces older programs designed to copy files between hosts, such as <command>rcp</command>. Because these older applications do not encrypt passwords transmitted between the client and the server, avoid them whenever possible. Using secure methods to log in to remote systems decreases the risks for both the client system and the remote host.
+    The <application>ssh</application> program is designed to replace older, less secure terminal applications used to log into remote hosts, such as <command>telnet</command> or <command>rsh</command>. A related program called <command>scp</command> replaces older programs designed to copy files between hosts, such as <command>rcp</command>. Because these older applications do not encrypt passwords transmitted between the client and the server, avoid them whenever possible. Using secure methods to log into remote systems decreases the risks for both the client system and the remote host.
   </para>
   <para>
     &MAJOROS; includes the general OpenSSH package, <package>openssh</package>, as well as the OpenSSH server, <package>openssh-server</package>, and client, <package>openssh-clients</package>, packages. Note, the OpenSSH packages require the OpenSSL package <package>openssl-libs</package>, which installs several important cryptographic libraries, enabling OpenSSH to provide encrypted communications.
@@ -101,7 +101,7 @@
           <term>It provides secure means to use graphical applications over a network</term>
           <listitem>
             <para>
-              Using a technique called <firstterm>X11 forwarding</firstterm>, the client can forward <firstterm>X11</firstterm> (<firstterm>X Window System</firstterm>) applications from the server.
+              Using a technique called <firstterm>X11 forwarding</firstterm>, the client can forward <firstterm>X11</firstterm> (<firstterm>X Window System</firstterm>) applications from the server. Note that if you set the <option>ForwardX11Trusted</option> option to <literal>yes</literal> or you use SSH with the <option>-Y</option> option, you bypass the X11 SECURITY extension controls, which can result in a security threat.
             </para>
           </listitem>
         </varlistentry>
@@ -141,7 +141,7 @@
         <primary>SSH protocol</primary>
         <secondary>version 2</secondary>
       </indexterm>
-      <para>Two varieties of SSH currently exist: version 1, and newer version 2. The OpenSSH suite under &MAJOROS; uses SSH version 2, which has an enhanced key exchange algorithm not vulnerable to the known exploit in version 1. However, for compatibility reasons, the OpenSSH suite does support version 1 connections as well.</para>
+      <para>Two varieties of SSH currently exist: version 1 and version 2. The OpenSSH suite under &MAJOROS; uses SSH version 2, which has an enhanced key exchange algorithm not vulnerable to the known exploit in version 1. However, for compatibility reasons, the OpenSSH suite does support version 1 connections as well, although version 1 is disabled by default and needs to be enabled in the configuration files.</para>
       <important>
         <title>Avoid using SSH version 1</title>
         <para>To ensure maximum security for your connection, it is recommended that only SSH version 2-compatible servers and clients are used whenever possible.</para>
@@ -174,7 +174,7 @@
         </listitem>
         <listitem>
           <para>
-            The remote client interacts with the remote host over the encrypted connection.
+            The client interacts with the remote host over the encrypted connection.
           </para>
         </listitem>
       </orderedlist>
@@ -219,7 +219,7 @@
           </listitem>
         </itemizedlist>
         <para>
-          During the key exchange, the server identifies itself to the client with a unique <firstterm>host key</firstterm>. If the client has never communicated with this particular server before, the server's host key is unknown to the client and it does not connect. OpenSSH gets around this problem by accepting the server's host key. This is done after the user is notified and has both accepted and verified the new host key. In subsequent connections, the server's host key is checked against the saved version on the client, providing confidence that the client is indeed communicating with the intended server. If, in the future, the host key no longer matches, the user must remove the client's saved version before a connection can occur.
+          During the key exchange, the server identifies itself to the client with a unique <firstterm>host key</firstterm>. If the client has never communicated with this particular server before, the server's host key is unknown to the client and it does not connect. OpenSSH notifies the user that the authenticity of the host cannot be established and prompts the user to accept or reject it. The user is expected to independently verify the new host key before accepting it. In subsequent connections, the server's host key is checked against the saved version on the client, providing confidence that the client is indeed communicating with the intended server. If, in the future, the host key no longer matches, the user must remove the client's saved version before a connection can occur.
         </para>
         <warning>
           <title>Always verify the integrity of a new SSH server</title>

More information about the docs-commits mailing list